Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
  #1  
Old 09-14-2013, 11:08 AM
SwalyAaron SwalyAaron is offline
 
Join Date: Jan 2013
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security flaw with a function

So I was using this function earlier today and noticed something

function pm_api($pmfromuserid, $pmfromusername, $pmtitle, $pmmessage, $username)
{
global $vbulletin, $botpermissions;

$pmdm =& datamanager_init('PM', $vbulletin, ERRTYPE_ARRAY);
$pmdm->set('fromuserid', $pmfromuserid);
$pmdm->set('fromusername', $pmfromusername);
$pmdm->set('title', $pmtitle);
$pmdm->set('message', $pmmessage);
$pmdm->set_recipients($username, $botpermissions);
$pmdm->set('dateline', TIMENOW);
$pmdm->save();
unset($pmdm);
return $pmdm;
}

If the $username doesn't exist, it will print out the whole database with all passwords and the password of the database in an error similar to this:

Fatal error:
The following users were not found:
-
Unable to proceed with save while $errors array is not empty in class vB_DataManager_PM in [path]/includes/class_dm.php on line 810
#0 vb_error_handler(256,
The following users were not found:
-

*prints database*

So anyway I can prevent it from revealing all this info if it can't find the username?
Reply With Quote
  #2  
Old 09-14-2013, 11:37 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I was looking at the code trying to figure out why all that info would be in the error message, but I can't. In any case, if you're not planning to use the error messages, you could try using ERRTYPE_SILENT instead of ERRTYPE_ARRAY (ETA: although now I'm not sure it will actually stop that message from printing). Also, you should change the code to check $pmdm->errors, and don't call $pmdm->save() if errors is set.
Reply With Quote
  #3  
Old 09-14-2013, 04:03 PM
SwalyAaron SwalyAaron is offline
 
Join Date: Jan 2013
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ERRTYPE_SILENT did the job thanks, and I don't know why all that info was put out it was seriously everything in my DB + the db pass and user
Reply With Quote
  #4  
Old 09-14-2013, 05:27 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You really should be doing the second part of that (checking errors before calling save()), because it's the call to save() that's triggering an exception and showing all that info.
Reply With Quote
  #5  
Old 09-16-2013, 02:31 PM
SwalyAaron SwalyAaron is offline
 
Join Date: Jan 2013
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kh99 View Post
You really should be doing the second part of that (checking errors before calling save()), because it's the call to save() that's triggering an exception and showing all that info.
Uh excuse my stupid question but would the code be like this?

function pm_api($pmfromuserid, $pmfromusername, $pmtitle, $pmmessage, $username)
{
global $vbulletin, $botpermissions;

$pmdm =& datamanager_init('PM', $vbulletin, ERRTYPE_ARRAY);
$pmdm->set('fromuserid', $pmfromuserid);
$pmdm->set('fromusername', $pmfromusername);
$pmdm->set('title', $pmtitle);
$pmdm->set('message', $pmmessage);
$pmdm->set_recipients($username, $botpermissions);
$pmdm->set('dateline', TIMENOW);
if (!isset($pmdm->errors()))
{
$pmdm->save();
}
unset($pmdm);
return $pmdm;
}
Or simply replacing ->save() with errors() ?
Reply With Quote
  #6  
Old 09-16-2013, 04:52 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

errors isn't a function, so you can't put the parens after it. Also, the vb code uses empty() instead of !isset() (but I can't remember offhand what the difference is if any - probably either will work). Oh, and in the vb code it looks like they call pre_save() before checking the errors.

Anyway, in the vb code they use:

Code:
$pmdm->pre_save();
if (empty($pmdm->errors))
{
$pmdm->save();
}
Reply With Quote
Благодарность от:
SwalyAaron
  #7  
Old 09-20-2013, 06:57 PM
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
Posts: 969
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kh99 View Post
errors isn't a function, so you can't put the parens after it. Also, the vb code uses empty() instead of !isset() (but I can't remember offhand what the difference is if any - probably either will work). Oh, and in the vb code it looks like they call pre_save() before checking the errors.

Anyway, in the vb code they use:

Code:
$pmdm->pre_save();
if (empty($pmdm->errors))
{
$pmdm->save();
}
The reason the code uses empty instead of isset is that isset just checks if the variable exists the other is used to see if an array has any values in it. An empty array (i.e. with no errors) will return true for empty but false for !isset.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:57 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05483 seconds
  • Memory Usage 2,218KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (1)post_thanks_box_bit
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete